0

TL;DR:

Question: how do I configure Tripwire to watch EVERYTHING that is below a certain path? My current config seems to only be looking at certain files / directories in a given path instead of everything.

Background / Full story:

I've recently installed Tripwire on a server that had some vulnerable PHP code. I added a rule called "Websites" that includes a number of sites that are run from the server (snippet below).

 # Rulset for websites
 (
   rulename = "Websites",
   severity = $(SIG_HI),
   emailto = "webmaster@hackedsite.com"
 )
 {
   /home/foouser1/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser2/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser3/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser4/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser5/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser6/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser7/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser8/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser9/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser10/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser11/www/ -> $(SEC_CRIT) (recurse = 1);
   /home/foouser12/www/ -> $(SEC_CRIT) (recurse = 1);
 }

I then updated the policy using:

/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

I entered my site key as expected, and the policy was updated without error.

When I run a check, there are no errors and no violations.

Then, to test it, I added an extra space to one of the files (/home/foouser1/www/foo/bar/js/script.js), which had previously (and repeatedly) been compromised. This should trigger a violation.

Re-running the check (tripwire --check -R Websites -v) shows several issues:

  1. Tripwire was ignoring the file, even thought it is below the declared file path /home/foouser1/www.
  2. It scans a bunch of files that are in /home/foouser1/www, but not all of them.

Finally, when I compare the directory contents of /home/foouser1/www to the number of files scanned by tripwire, there is a huge difference.

find /home/foouser1/www/ -type f -print | wc -l shows me there are 3,000+ files in that directory that should be watched by tripwire.

find /home/foouser1/www/ -type d -print | wc -l shows me there are 192 sub directories in that directory that should be watched by tripwire.

Tripwire reports that it only looked at 192 objects.

DrDamnit
  • 348
  • 4
  • 16

1 Answers1

0

Turns out, that (recurse=1) is not needed. Recursive checking of files and subdirectories is on by default. But, in order to capture miniscule changes (single-byte changes, for example) you need to check the hash of the file (SHA is preferred). So, you can use the following variable as mask:

SEC_HACK_DETECT = $(IgnoreNone)-a ; # Files that should not change

Between these two changes, Tripwire then works as expected.

DrDamnit
  • 348
  • 4
  • 16
  • Is this still valid with the new version of tripwire? seems like the variable is updated to be used as SHa -> `SEC_CRIT = $(IgnoreNone)-SHa ;`. Also can you explain what does the '-a' means ? Why not using -SHa ? – MaXi32 Jul 29 '20 at 08:49